Are You GDPR Compliant?

If you haven’t heard about GDPR (General Data Protection Regulation), then you need to find out about it quickly. All businesses worldwide are expected to be GDPR compliant by May 25, 2018.

Not sure if this law applies to you because you have a U.S. based business? Apparently, even if you have only one EU customer or email subscriber that you hold personal data for, it surely does apply to you.

The purpose of the GDPR is to provide a set of standardized data protection laws across all the member countries. Although this regulation doesn’t come into effect until May 25, it also applies to anyone from EU who may have joined your list in the past and is still on it.

There are tough penalties for companies and organizations who don’t comply with GDPR fines of up to 4% of annual global revenue or 20 million Euros, whichever is greater.

So what is considered personal data? The GDPR very broadly defines personal data as any information relating to a person, including names, email addresses, social media posts, IP addresses, and cookies because they can be traced to a person and combined with other data to identify a specific person.

9 Simple Steps for GDPR Readiness

1. Make sure the email marketing provider being used is also GDPR compliant and that your subscribers know what they are opting in for. When asking for an email, be sure you are clear about asking for consent for not only the free ebook but also consent to future emails.

Your subscribers will need to intentionally agree to join your email list so that you can send them newsletters or future emails. It also is no longer acceptable to include a pre-checked box or send different types of emails to them than the ones they signed up for.

On opt-in forms, be sure to include text that makes it clear what people are signing up for. If you’re offering a free download in exchange for someone’s email, include a checkbox asking permission to send regular marketing emails from your business.

2. Don’t ask for information your company doesn’t necessarily need, the GDPR stipulates that companies should only ask for information actually need.

3. Make it easy for subscribers to edit or delete their information. Subscribers should easily be able to withdraw or stop having their personal information used.

Once someone unsubscribes, it’s extremely important to remove them from any third party software tools you use, or clearly state in your privacy policy that you’re not responsible for what happens after people leave your site. Be sure there is an “Unsubscribe” link on your emails for your lists. And if anyone unsubscribes, be sure to delete their email immediately and never email them again.

4. When building your email list, be sure to use a double opt-in process. The double opt-in requires subscribers to click a confirmation link in an email if they want to receive emails from you.

5. If you’re collecting emails at a live event, keep the document that your subscribers signed up on to be added to your email list.

6. Link to Privacy Policy or Terms of Use on website, emails and where subscribers opt-in. Your privacy policy needs to be clear and explain how & who will use & protect the personal information. It needs to say who you are and because you opted in you have the right to use their data. If you are using third-party tools you need a disclaimer that you aren’t responsible for what happens when they leave your site. You should know how those third-party service providers are using the data as well.

**Please consult your attorney for more info on the specifics of your company’s needs.

7. Keep a written record of your process in terms of how you use and collect their information and what happens in the event your site or emails are ever hacked.

8. Be sure you go through your list and remove any emails that were not collected properly. If you’re not sure, send an email to the list requesting them to opt-in again.

9. Make sure your website is secure by enabling https to encrypt sensitive data keeping it safe. All website owners should upgrade to Google HTTPS if they haven’t already.

*Please note that we’re NOT lawyers, and this post is not meant to be taken as legal advice. If you have any questions about how to comply with the GDPR for your business, please consult an attorney or a GDPR Consultant.